FATF Report-Virtual Assets Red Flag Indicators

Blog / FATF Report-Virtual Assets Red Flag Indicators

FATF released a Virtual Assets Red-Flag Indicators report in September 2020. This report aims to assist reporting organizations, including financial institutions (FAs), designated non-financial businesses and professions (DNFBPs), and VASPs. The report also emphasizes a risk-based approach to Customer Due Diligence (CDD) requirements, which requires reporting organizations to know who Customers and stakeholders are, understand the nature and purpose of the business relationship, and know the source of funds.


The report mainly focuses on six red-flag indicators: those related to transactions, those related to transaction patterns, those related to anonymity, about senders or recipients, those related to funding or wealth at source and geographic risks. This blog will summarize the red flag indicators in the Report. Click here to view the full FATF Report.


Red Flag Indicators Related to Transactions

While VAs for machine learning first appeared more than a decade ago, VAs are increasingly becoming mainstream for criminal activities. This set of indicators shows how relevant the red flags traditionally associated with transactions involving more traditional payment methods are in detecting potential illegal activities related to VAs.

Red flags related to the processing frequency and size of some VAs determined by the FATF:

  • Configure VA transactions for small amounts or amounts below record-keeping or reporting thresholds.

  • Making multiple high-value transactions

  • Depositing VAs to an exchange and then often immediately

  • Accepting funds suspected of being stolen or fraudulent


A risk-based approach guide to virtual assets and VASPs


Red Flag Indicators Related To Transaction Patterns

Some red flags show how the abuse of VAs for money laundering and terrorist financing purposes can be determined through irregular, unusual, or unusual transaction patterns. Some of these red flags are

  • To start a new relationship with a VASP, make a large initial deposit and fund the entire stake on the first day of opening. The client starts to process the total amount or a large part of the amount on the same day or the next day, or if the client withdraws the entire amount the next day.

  • A new user tries to swap the VA as a whole balance or withdraw the VAs and tries to send the entire harmony out of the platform.

  • Operations involving the use of more than one VA without a correct and logical job description.

  • Making frequent transfers to the same VA account by more than one person, by one or more people from the same IP address, or by large amounts of money in a specified period

  • Relatively small amounts of transactions from many unrelated wallets then transfer to another wallet or full exchange for fiat currency.

  • Realizing the VA-fiat currency exchange with a potential loss

  • They convert large amounts of fiat currency to VAs or a large quantity of VA type to other VA types without a logical job description.


Red Flag Indicators Related to Anonymity

The anonymity feature takes advantage of inherent qualities and vulnerabilities associated with the technology that underlies VAs. Some various technological features (mentioned below) increase anonymity and add barriers to detecting criminal activity by LEAs. These factors are used for criminals who want to hide and hide their VAs, and their funds. However, these indicators should be evaluated in the context of other customer and relationship characteristics or a good business statement.

  • Transactions performed by a client with multiple VA types despite higher anonymity VAs, such as anonymized cryptocurrency (AEC) or privacy coins.

  • Moving a VA is running on a public, transparent blockchain like Bitcoin to a central exchange and then immediately swapping it for an AEC or privacy coin.

  • Customers working as an unregistered/unlicensed VASP on peer-to-peer (P2P) exchange websites

  • Abnormal transaction activity of VAs converted to cash on exchanges from wallets associated with the P2P platform without any logical job disclosure.

  • VAs transferred to or from wallets showing previous activity patterns related to the use of VASPs running shuffling or rolling services or P2P platforms.

  • Transactions using scrambling and disruption services suggest the intention to prevent illegal fund flows between known wallet addresses and darknet markets.

  • Money is withdrawn from a VA address with links to direct and indirect exposure to known questionable sources, including Darknet markets, scrambling services, suspected gambling sites, illegal activities, and reports of theft.

  • Use of decentralized hardware or paper wallets to move VAs across borders.

  • Users who register Internet domain names on the VASP platform through proxies or use domain name registrars (DNS) that hide or remove domain name owners.

  • Many seemingly unrelated VA wallets are controlled from the same IP address (or MAC address) and may include the use of shell wallets registered to different users to hide their relationship with each other.

  • The use of VAs whose design is poorly documented or associated with other means of implementing fraudulent schemes, such as possible fraud or pyramid schemes.

  • Receiving or sending money to VASPs whose CDD or know your customer (KYC) processes are weak or absent.


Member countries have to comply with the globally published FATF Recommendations for AML/CTF.


Red Flag Indicators about Senders or Recipients 

Red Flag Indicators About Senders or Recipients have been established regarding the profile and unusual behavior of the sender or recipient of illegal transactions. Here are some of these red indicators;

  • To create separate accounts under different names to circumvent the restrictions on trading or withdrawal limits imposed by VASPs.

  • Transactions initiated from untrusted IP addresses, IP addresses from sanctioned jurisdictions, or IP addresses previously marked as suspicious.

  • Frequent attempts to open an account within the same VASP from the same IP address.

  • Regarding merchants / corporate users, Internet domain registrations are different from the organization's jurisdiction or jurisdiction, with an inefficient process for domain registration.

  • During the CDD process, irregularities were observed: Missing or insufficient KYC information or a client denying requests for KYC documents, or questions regarding funding sources.

  • Do not know or provide false information about the sender/recipient, transaction, source of funds, or relationship with the counterparty.

  • The client provided forged documents or edited photos and/or ID documents as part of the recruitment process.

  • Discrepancies arise between the IP addresses associated with the customer's profile and the IP addresses where transactions were initiated.

  • A client older than the average age of platform users, a client opens an account and executes many transactions, suggesting their potential role as a VA coin mule or a victim of aged financial exploitation.

  • Customer frequently changes their credentials, including email addresses, IP addresses, or financial information, indicating an account takeover against a client.



Red Flag Indicators for Fund or Wealth Source

The abuse of VAs is often related to criminal activities such as illegal smuggling, fraud, theft, and extortion of narcotic and psychotropic substances. Below are some common red flags regarding the source of money or wealth linked to such criminal activities.

  • Dealing with VA addresses or bank cards linked to known fraudulent, extortion or ransomware schemes, sanctioned addresses, darknet markets, or other illegal websites.

  • VA transactions arising from or for online gambling services.

  • Using one or more cards linked to a VA wallet to withdraw large amounts of fiat money.

  • Lack of transparency or insufficient information about the source and owners of funds, such as funds placed in the Coin Offerings (ICO) or online payment system with credit / prepaid cards followed by instant withdrawal.

  • A customer's funds are obtained directly from third-party mixing services or wallet vaults.

  • Most of a client's wealth resource is to VAs, ICOs or fraudulent ICOs, etc. It is obtained from the investments made.

  • A client's wealth source is disproportionately derived from VAs from other VASPs that do not have AML / CFT controls.


    Source of Funds (SOF) and Source of Wealth (SOW)


    Red Flag Indicators Related to Geographical Risks

    The Red Flag Indicators for Geographical Risks highlight how criminals benefit from different stages of implementation by jurisdictions of the revised FATF Standards on VAs and VASPs when carrying their illegal funds. Based on cases reported by the judicial authorities, criminals are abused by moving their illicit funds to VASPs located or operated in jurisdictions that do not exist or have minimum AML / CFT regulations and by moving gaps in AML / CFT regimes to VA and VASPs. have done. These jurisdictions may not provide the full preventive measures required by the FATF Standards. Some red flags related to this indicator can be examined below.

    • The client's funds originate from or are sent to an exchange that is not registered in the client's jurisdiction.

    • If the customer uses a VA stock exchange or MVTS based abroad in a high-risk jurisdiction known to have no or insufficient AML / CFT regulations for VA units, including inadequate CDD or KYC measures.

    • The customer sends money to VASPs operating in jurisdictions that do not have VA regulations or implement AML / CFT controls.

    • The client sets up or moves offices in jurisdictions that do not have or legal regulations governing VAs.

    In Brief, it aims to provide a practical tool for both the public and private sectors to detect and prevent VA-involving criminal money laundering and terrorist financing activities, leveraging the global inputs of FATF Members. Indicators are often just one of many factors contributing to the larger overall picture of potential ML or TF risk, and indicators mustn't be seen alone.


    You Might Also Like